I run a state wide SUS system for over 50 offices using fractional T-1 connections that pretty much run the gambit from 128s on up and several home offices using VPN (DSL or fiber). I run this service using 4 servers. 2 of these support a test and production infrastructure for servers while the other two provide like services for my workstations.
SUS has a few issues, but none of them are really related to bandwidth. At least not that I've seen over the last 5 months.
It requires decent servers. I was lucky enough to be able to use Dell PowerEdge 2500s. However, before deploying statewide, I ran testing using a pretty stock Dell GX150 for about 90 workstations over our WAN.
It's configuration settings are slim. Initially, the only way that I could be sure that updates were being deployed was to have the system install and reboot (when needed) at pre-determined times in the morning. This caused a few tickets to enter our Help Desk system when a user has their workstation reboot, even given the built in 5 mintute warning box. SP4 for Win2K and a later version of SP1 for XP has resolved that to some extent.
No built-in auditing. There's not a way to insure that all of my workstations get, and apply, their updates using the SUS console. We've installed MBSA on our subnet servers to run our audits. Took a little scripting, but our internal website how has links to the text documents that MBSA creates on a daily basis. It's not elegent, or even fun, but then again, maybe the *nix crowd can get into that kind of setup.
The client. We hand configured all of our workstations and servers to point to our SUS servers for updates. This seemed to be a real handicap to the system, until we had to go from machine to machine deploying MS03-026. Sort of seemed like a no-brainer at that point.
That being said. SUS has some definate pluses that we've enjoyed.
It's free. Sure the servers cost money, and the deployment time cost money. Howerver, I still think a meduim sized oufit (200 or so workstations/servers) could get it up and running with a spare Windows 2000 Server compatible workstation (or two if you want to do it right).
I now have entire offices that I didn't have to visit for MS03-40 and it's evil cousins. Though.. I'm still travelling to 2 that have a handful of NT systems in an building full of 2K/XP.
Oh yeah.. and despite a few of the negative posts I see in this thread, it's PULL technology. "Push" and "SUS" do not belong in the same sentences. The clients randomly check for updates (using a 17-21 hour offset from their last check), download the update locally, and wait until the time you have configured for the install and reboot (if needed.) Hense, the low bandwidth requirement.
Through SUS, our XP and 2k workstations get updates after they're tested for a week.
We have a SUS test pool with about 100 workstations on it that receives all of the updates that we can receive through SUS each Monday. After a week of testing, the production SUS server (approx 3000 clients) is syncronized with the test pool server and we get last week's updates deployed by Tuesday afternoon. Then all of the lastest updates are again "approved" for the test pool.
The problem is that our network is still about 40% NT and 9x due to some legacy software that various parts of the agency can't live without or find the means to replace. These sytems are located through out the state and can take between a day and a month to get updated.
Currently, the "suits" are weighing the benefits of the various patch management tools (SMS, HFNetCHk, Altaris, Patchlink, etc.), but until they manage to fumble to agreement, we're doing it all with cars and keyboards.
But..... I digress.
Given the choice, I'd test for a week and deploy with SUS (for newer systems) and HFNetChk for the legacy systems once I'm happy that an update wont nerf my clients applications.
We put up a SUS system about 4 months ago using 4 Dell Windows 2000 Servers (2 for workstations, 2 for servers) and managed to get all but skipped by the last two viruses.
Our workstation setup is pretty much right out of the manual. We have a test pool server with about 50 clients hanging off of it state-wide that guine.... I mean test the updates for us. These boxes have a wide slice of the software we run at our various offices and include both windows XP and 2K machines. The test pool gets every update that comes to us through syncronizing with the MS servers. Our current testing cycle is 2 weeks.. though, we've been considering cutting this back to about a week. In this way we can insure that none of the updates muff any of our applications or database clients.
The other workstation server is manually syncronized with the test pool server at the end of each testing period and has the rest of our workstations hanging off it.
So far, I've been pretty happy with SUS. We still did some driving around following Blaster, but only because we felt the need to run fixblast on our NT workstations (And it gave us a chance to ck our GP settings. Of the 1600 workstations on this end of the state, we had approx. 18 workstations infected.
Our Server side is pretty much set up the same way. 5 or 6 servers that run a variety of applications and functions in a test pool that get all the updates for 2 weeks, and 50 or so servers on a production SUS server that is syncronized with the test pool after the updates come up clean.
SUS has some problems. Office support is obviously missing (though, I've heard it's listed as part of SUS 2.0) and SUS only picks up critical updates. We've evalutated products to fill those gaps (HFNetCHK Pro, Patchlink, etc.), but for the price, it's been worth the roll-out expenses.
Slashdot Mirror
I believe you ment "hung by their own Petard." Petard == a necktie while
Batard == a type of bread, I believe.
SUS has a few issues, but none of them are really related to bandwidth. At least not that I've seen over the last 5 months.
It requires decent servers. I was lucky enough to be able to use Dell PowerEdge 2500s. However, before deploying statewide, I ran testing using a pretty stock Dell GX150 for about 90 workstations over our WAN.
It's configuration settings are slim. Initially, the only way that I could be sure that updates were being deployed was to have the system install and reboot (when needed) at pre-determined times in the morning. This caused a few tickets to enter our Help Desk system when a user has their workstation reboot, even given the built in 5 mintute warning box. SP4 for Win2K and a later version of SP1 for XP has resolved that to some extent.
No built-in auditing. There's not a way to insure that all of my workstations get, and apply, their updates using the SUS console. We've installed MBSA on our subnet servers to run our audits. Took a little scripting, but our internal website how has links to the text documents that MBSA creates on a daily basis. It's not elegent, or even fun, but then again, maybe the *nix crowd can get into that kind of setup.
The client. We hand configured all of our workstations and servers to point to our SUS servers for updates. This seemed to be a real handicap to the system, until we had to go from machine to machine deploying MS03-026. Sort of seemed like a no-brainer at that point.
That being said. SUS has some definate pluses that we've enjoyed.
It's free. Sure the servers cost money, and the deployment time cost money. Howerver, I still think a meduim sized oufit (200 or so workstations/servers) could get it up and running with a spare Windows 2000 Server compatible workstation (or two if you want to do it right).
I now have entire offices that I didn't have to visit for MS03-40 and it's evil cousins. Though.. I'm still travelling to 2 that have a handful of NT systems in an building full of 2K/XP.
Oh yeah.. and despite a few of the negative posts I see in this thread, it's PULL technology. "Push" and "SUS" do not belong in the same sentences. The clients randomly check for updates (using a 17-21 hour offset from their last check), download the update locally, and wait until the time you have configured for the install and reboot (if needed.) Hense, the low bandwidth requirement.
Through SUS, our XP and 2k workstations get updates after they're tested for a week. We have a SUS test pool with about 100 workstations on it that receives all of the updates that we can receive through SUS each Monday. After a week of testing, the production SUS server (approx 3000 clients) is syncronized with the test pool server and we get last week's updates deployed by Tuesday afternoon. Then all of the lastest updates are again "approved" for the test pool. The problem is that our network is still about 40% NT and 9x due to some legacy software that various parts of the agency can't live without or find the means to replace. These sytems are located through out the state and can take between a day and a month to get updated. Currently, the "suits" are weighing the benefits of the various patch management tools (SMS, HFNetCHk, Altaris, Patchlink, etc.), but until they manage to fumble to agreement, we're doing it all with cars and keyboards. But..... I digress. Given the choice, I'd test for a week and deploy with SUS (for newer systems) and HFNetChk for the legacy systems once I'm happy that an update wont nerf my clients applications.
Our workstation setup is pretty much right out of the manual. We have a test pool server with about 50 clients hanging off of it state-wide that guine.... I mean test the updates for us. These boxes have a wide slice of the software we run at our various offices and include both windows XP and 2K machines. The test pool gets every update that comes to us through syncronizing with the MS servers. Our current testing cycle is 2 weeks.. though, we've been considering cutting this back to about a week. In this way we can insure that none of the updates muff any of our applications or database clients.
The other workstation server is manually syncronized with the test pool server at the end of each testing period and has the rest of our workstations hanging off it.
So far, I've been pretty happy with SUS. We still did some driving around following Blaster, but only because we felt the need to run fixblast on our NT workstations (And it gave us a chance to ck our GP settings. Of the 1600 workstations on this end of the state, we had approx. 18 workstations infected.
Our Server side is pretty much set up the same way. 5 or 6 servers that run a variety of applications and functions in a test pool that get all the updates for 2 weeks, and 50 or so servers on a production SUS server that is syncronized with the test pool after the updates come up clean.
SUS has some problems. Office support is obviously missing (though, I've heard it's listed as part of SUS 2.0) and SUS only picks up critical updates. We've evalutated products to fill those gaps (HFNetCHK Pro, Patchlink, etc.), but for the price, it's been worth the roll-out expenses.